Privacy & Information Security Law Blog

On January 28, 2013, the Federal Trade Commission announced a proposed settlement agreement with CBR Systems, Inc. (“CBR”), an operator of a cord blood bank, which collects personal information about consumers and physicians through its websites and in connection with the provision of its services, including names, addresses, dates of birth, Social Security numbers, credit card numbers and health information.

On January 28, 2013, European Data Privacy Day, the London office of Hunton & Williams hosted the launch of senior attorney Rosemary Jay’s fourth edition book, Data Protection Law & Practice, by publisher Sweet & Maxwell.

On January 23, 2012, the Federal Financial Institutions Examination Council (“FFIEC”) released proposed guidance, Social Media: Consumer Compliance Risk Management Guidance (the “Guidance”) to address how federal consumer protection laws may apply to the social media activities of financial institutions that are supervised by the Consumer Financial Protection Bureau. Comments on the guidance must be submitted within 60 days (before March 25, 2013). After consideration of the public comments, and once the guidance is finalized, financial institutions will be expected to “use the guidance in their efforts to ensure that their risk management practices adequately address the consumer compliance and legal risks, as well as related risks, such as reputation and operational risks, raised by activities conducted via social media.” Rather than imposing additional obligations on financial institutions, the Guidance is intended to help financial institutions comply with existing federal requirements as they apply to the use of social media platforms.

Reporting from Australia, former Australian Privacy Commissioner Malcolm Crompton, Managing Director of Information Integrity Solutions Pty Ltd (“IIS”), writes:

The Australian Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the “Act”) will make significant changes to the Privacy Act 1988. It’s early days for the changes and the impact for organizations will depend on their circumstances. Over the next 15 months we expect to see a range of guidance material from the Office of the Australian Information Commissioner.

The wait is over. On January 17, 2013, the Department of Health and Human Services’ (“HHS’”) Office for Civil Rights (“OCR”) released its long-anticipated megarule (“Omnibus Rule”) amending the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. These amendments implement and expand on the requirements of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the Genetic Information Nondiscrimination Act of 2008. The Omnibus Rule is effective March 26, 2013, and compliance is required with respect to most provisions no later than September 23, 2013. Coming into compliance will require significant effort and attention by covered entities and business associates alike. Below we highlight some of the more significant aspects of the Omnibus Rule and provide critical compliance tips.

On January 24, 2013, the UK Information Commissioner’s Office (“ICO”) served Sony Computer Entertainment Europe Limited (“Sony”) with a monetary penalty of £250,000 resulting from a serious breach of the Data Protection Act 1998. An April 2011 security incident involving the Sony PlayStation Network Platform affected the personal data of millions of customers, including names, addresses, email addresses, dates of birth, account passwords and credit card details.

In an interview with Tom Field of BankInfoSecurity, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, discussed the top privacy trends and threats for 2013. Lisa predicts that security vulnerabilities will remain the biggest threat to privacy, particularly with the move toward mobile computing. She also talked about key issues to watch in 2013, such as online behavioral advertising, big data and evolving privacy legislation and regulation, especially in the EU and other countries around the globe.

Listen to Lisa’s ...

On January 17, 2013, the Department of Health and Human Services (“HHS”) issued a Final Omnibus Rule modifying the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as well as the Breach Notification Rule promulgated pursuant to the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009. The Final Rule comes two and a half years after the proposed rule was published in July 2010.

On January 16, 2013, the French Data Protection Authority (“CNIL”) released its opinion on the draft report issued by Jan Philipp Albrecht, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Report”). The Report included detailed amendments to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) submitted by various stakeholders which Rapporteur Albrecht consolidated and distilled into a single text. The CNIL’s Report welcomes these amendments and in particular, the following:

In a January 13, 2013 blog post, the Federal Trade Commission’s Bureau of Consumer Protection’s Business Center Blog highlighted the FTC’s recent groundbreaking settlement for violations of the Fair Credit Reporting Act (“FCRA”) in the mobile app context. The settlement with Filiquarian Publishing, LLC, Choice Level, LLC, and Joshua Linsk (the owner of Filiquarian and Choice Level, collectively, the “Companies”), is the first FCRA enforcement action against a mobile app developer. Filiquarian offered mobile apps to consumers for purposes of conducting criminal background checks in numerous states, and Choice Level provided the criminal background checks used by the apps to Filiquarian.